Typescript disclosed Api Key

Cristianrage · May 28, 2025, 3:25pm

I find that there is no rule to detect disclosed api-keys like this case for the language typescript:

                    const authReq = request.clone({
                        setHeaders: {
                            Authorization: `Bearer ${res?.signInUserSession.idToken.jwtToken}`,
                            'x-api-key': environment.production
                                ? `asjdhaskjhccjkhsdas`
                                : `dasjhdajskhcajsdhqusadjhk`,
                        },

The compliant way should be:

                    const authReq = request.clone({
                        setHeaders: {
                            Authorization: `Bearer ${res?.signInUserSession.idToken.jwtToken}`,
                            'x-api-key': environment.production
                                ? `${environment.API_KEY_PROD}`
                                : `${environment.API_kEY_DEV}`,
                        },

Is it possible the existence of a rule to detect these cases?

Colin · May 30, 2025, 7:00am

Hey @Cristianrage!

We do have a number of rules for secrets detection that focus on supporting specific providers. The rules available to you vary on which product you’re using (SonarQube Community Build / Server / Cloud). Which are you using?

You’ve obfuscated the real keys (rightfully so!). Do they belong to a specific provider?

Cristianrage · May 30, 2025, 2:21pm

Hi @Colin

The keys from the code I’ve pasted are dummy keys, the real ones have been replaced after the finding and ofuscated.

I 've tested this case with two sonarqube instances:

Sonarqube Community edition 9.9.6.92038
Sonarqube Enterprise edition * Version 9.9.1 (build 69595)

The original api keys aren’t from a provider, there are from an api developed for an internal solution.

Colin · June 3, 2025, 10:16am

Hey there.

Normally I’d push you to try on a supported version of SonarQube, but this was simple enough for me to try and reproduce on SonarQube Cloud. I’m surprised that a Security Hotspot isn’t raised. I’ll flag this for attention.

michal.zgliczynski · June 5, 2025, 8:03am

Hi @Cristianrage,

Thank you for reporting. Indeed, we should be catching such issues. I believe this rule should have triggered: RSPEC

I did a quick test and I believe it doesn’t trigger as you are using a ternary expression. I also checked that it doesn’t trigger within an object assignment. I’ve created a ticket to track this: Jira

Kind regards,
Michal

Topic		Replies	Views
API key/tokens in Sonarcloud SonarQube Cloud tokens , sonarqube-cloud	5	2320	March 10, 2021
Security code reviews now available in TypeScript and 4 new Code Smell rules for JavaScript Sonar Updates javascript , typescript , sonarqube-cloud	0	1169	October 14, 2019
JavaScript and TypeScript analyzers detect cryptography-related security issues Sonar Updates javascript , typescript , security , crypto	0	1321	October 27, 2020
False Positive fro typescript:S4790 SonarQube Cloud typescript , sonarqube-cloud	2	592	October 15, 2021
Hardcoded credentials are not shown during the sonar scan SonarQube Server / Community Build	6	60	November 19, 2024

Typescript disclosed Api Key

Related topics